Jump to content

Multiple issues with the webapi


SandroL

Recommended Posts

Hi, i'm evaluating the usage of passwordstate for the company i'm working for and one of the main criteria is the webapi. I'm connectiong to the api with a python script and i have found three issues that i think could be bugs, and one is a showstopper for us.

 

1. The searchpasswords function in combination with a passwordlist-id and username seems to be broken

 

Examplecode:

headers = { 'APIKey': apiKey }
uri = 'https://ourvault.ourtld/api/searchpasswords/'+str(passwordlist['PasswordListID'])+"?username="+user
response = requests.get(uri, headers=headers, verify=False)

print(uri)
print()
print(response.status_code)
print()
print(response.headers)
print()
print(response.content)

Results:

 

URI: https://ourvault.ourtld/api/searchpasswords/26?username=root

 

Returncode: 500

 

Returnheader: {'Cache-Control': 'no-cache,max-age=0, no-cache, must-revalidate', 'Pragma': 'no-cache,no-cache', 'Content-Length': '120', 'Content-Type': 'text/plain; charset=utf-8', 'Expires': '-1,Thu, 01 Jan 1970 00:00:00 GMT', 'Server': 'Microsoft-IIS/8.5', 'Strict-Transport-Security': 'max-age=31536000', 'X-AspNet-Version': '4.0.30319', 'X-Powered-By': 'ASP.NET', 'X-UA-Compatible': 'IE=edge', 'Date': 'Wed, 29 Aug 2018 09:18:31 GMT'}

 

Returnbody: b'[{"errors":[{"message":"Invalid API Call"},{"phrase":"Error = Object reference not set to an instance of an object."}]}]'
 

api/passwords/26?QueryAll is working fine, so it seems it's the searchpasswords function.

 

2. Inserting hosts is working, but returns an error

 

Examplecode:

data = json.loads(parameters)
data['HostName'] = hostname
data['HostType'] = "Linux"
data['APIKey'] = apiKey

print(data)
print()

uri = 'https://ourvault.ourtld/api/hosts'
response = requests.post(uri, data=data, verify=False)

print(uri)
print()
print(response.status_code)
print()
print(response.headers)
print()
print(response.content)

 

Results:

 

POSTDATA: {'HostType': 'Linux', 'OperatingSystem': 'Ubuntu', 'RemoteConnectionType': 'SSH', 'RemoteConnectionPortNumber': '22', 'InternalIP': '192.168.1.57', 'MACAddress': '28-C2-DD-E2-52-0E', 'VirtualMachine': 'True', 'VirtualMachineType': 'VMware', 'HostName': 'testhost', 'APIKey': '49d65a2cb83e73f733a8d5f4cb26e94d'}

 

URI: https://ourvault.ourtld/api/hosts

 

Returncode: 500

 

Returnheader: {'Cache-Control': 'no-cache,max-age=0, no-cache, must-revalidate', 'Pragma': 'no-cache,no-cache', 'Content-Length': '120', 'Content-Type': 'text/plain; charset=utf-8', 'Expires': '-1,Thu, 01 Jan 1970 00:00:00 GMT', 'Server': 'Microsoft-IIS/8.5', 'Strict-Transport-Security': 'max-age=31536000', 'X-AspNet-Version': '4.0.30319', 'X-Powered-By': 'ASP.NET', 'X-UA-Compatible': 'IE=edge', 'Date': 'Wed, 29 Aug 2018 09:30:12 GMT'}

 

Returnbody: b'[{"errors":[{"message":"Invalid API Call"},{"phrase":"Error = Object reference not set to an instance of an object."}]}]'

 

The host is getting inserted correctly, but the expected returnbody is broken. 

 

3. The hostsearch function is broken

 

Examplecode:

headers = { 'APIKey': apiKey }
uri ='https://ourvault.ourtld/api/hosts?HostName='+hostname
response = requests.get(uri, headers=headers, verify=False)

print(uri)
print()
print(response.status_code)
print()
print(response.headers)
print()
print(response.content)

Results:

 

URI: https://ourvault.ourtld/api/hosts?HostName=testhost

 

Returncode: 500

 

Returnheader: {'Cache-Control': 'no-cache,max-age=0, no-cache, must-revalidate', 'Pragma': 'no-cache,no-cache', 'Content-Length': '120', 'Content-Type': 'text/plain; charset=utf-8', 'Expires': '-1,Thu, 01 Jan 1970 00:00:00 GMT', 'Server': 'Microsoft-IIS/8.5', 'Strict-Transport-Security': 'max-age=31536000', 'X-AspNet-Version': '4.0.30319', 'X-Powered-By': 'ASP.NET', 'X-UA-Compatible': 'IE=edge', 'Date': 'Wed, 29 Aug 2018 09:21:38 GMT'}

 

Returnbody: b'[{"errors":[{"message":"Invalid API Call"},{"phrase":"Error = Object reference not set to an instance of an object."}]}]'
 

The examplehost "testhost" exists in our passwordstate instance. 

 

Also strange is that in the Apidocs, the GET function for hosts is declared as "GET /api/hosts", but all the search examples are for the path "/winapi/hosts/"

 

Other functions like creating folders, passwordlists and passwords are working witout any problems.

Link to comment
Share on other sites

Hi Sandro,

 

Sorry you're having some issues. We don't have any python experience unfortunately, so hopefully someone else from the community can help if it's a syntax issue.

For the searching of passwords, I could not reproduce your issue in PowerShell. Can you try the following in PowerShell and see if that works for you (Replace your API Key as appropriate):

 

Invoke-Restmethod -Method GET -Uri 'https ://o urvault.ourtld/api/searchpasswords/26?user name=ro ot' -Header @{ "APIKey" = "8e796d2b543fac8f57b23cae49d6fc58" }

 

And we think you have helped us find a bug with relation to querying Hosts records - which is also done when you Add a new host record. Could you contact us via our support page, and we will provide you an updated API to test with? Basically if the field DatabaseServerType is NULL in the database, this is causing the error. I've fixed this in the next release, but can provide you an updated API now if you need to continue on with your evaluation.

Regards

Click Studios

 

 

 

Link to comment
Share on other sites

- I'm getting the same error in powershell too for the searchpasswords function (see screenshots).


- A new api would not be necessary for the query host problem when it'll be patched in the next version. When do you expect the next releasedate for the bugfixed version?

 

Best regards

 

Sandro

Screenshot (351).png

Screenshot (350).png

Screenshot (349).png

Link to comment
Share on other sites

Hi Sandro,

 

We've released build 8455 today, which fixes the issues in the API with regards to Host records. Can you please use one of the upgrade methods outlined in this document - https://www.clickstudios.com.au/downloads/version9/Upgrade_Instructions_From_V5.pdf

 

I've just tested your 'searchpasswords' API query again in build 8455, and it appears to be working fine for me. Can you let us know if you still have issues with this call also after upgrading?

Thanks very much.

Regards

Click Studios

Link to comment
Share on other sites

Hi,

 

bugs 2 and 3 are fixed (host api), but bug 1 (searchpasswords) persists in build 8459.

 

Here is my code:

 

headers = { 'APIKey': apiKey }
uri = "https://ourvault.ourtld/api/searchpasswords/"+str(passwordlist['PasswordListID'])+"?username="+user
response = requests.get(uri, headers=headers, verify=False)

print(uri)
print()
print(response.status_code)
print()
print(response.headers)
print()
print(response.content)

Results:

 

URI: https://ourvault.ourtld/api/searchpasswords/59?username=root

 

Returncode: 500

 

Returnheader: {'Cache-Control': 'no-cache,max-age=0, no-cache, must-revalidate', 'Pragma': 'no-cache,no-cache', 'Content-Length': '120', 'Content-Type': 'text/plain; charset=utf-8', 'Expires': '-1,Thu, 01 Jan 1970 00:00:00 GMT', 'Server': 'Microsoft-IIS/8.5', 'Strict-Transport-Security': 'max-age=31536000', 'X-AspNet-Version': '4.0.30319', 'X-Powered-By': 'ASP.NET', 'X-UA-Compatible': 'IE=edge', 'Date': 'Mon, 03 Sep 2018 11:37:14 GMT'}

 

Returnbody: b'[{"errors":[{"message":"Invalid API Call"},{"phrase":"Error = Object reference not set to an instance of an object."}]}]'

 

 

Here the api/passwords QueryAll to compare:


 

headers = { 'APIKey': apiKey }
uri = "https://ourvault.ourtld/api/passwords/"+str(passwordlist['PasswordListID'])+"?QueryAll"
response = requests.get(uri, headers=headers, verify=False)

print(uri)
print()
print(response.status_code)
print()
print(response.headers)
print()
print(response.content)

 

URI: https://ourvault.ourtld/api/passwords/59?QueryAll

 

Returncode: 200

 

Returnheader: {'Cache-Control': 'no-cache,max-age=0, no-cache, must-revalidate', 'Pragma': 'no-cache,no-cache', 'Content-Type': 'application/json; charset=utf-8', 'Expires': '-1,Thu, 01 Jan 1970 00:00:00 GMT', 'Server': 'Microsoft-IIS/8.5', 'Strict-Transport-Security': 'max-age=31536000', 'X-AspNet-Version': '4.0.30319', 'X-Powered-By': 'ASP.NET', 'X-UA-Compatible': 'IE=edge', 'Date': 'Mon, 03 Sep 2018 11:37:14 GMT', 'Content-Length': '412'}

 

Returnbody: b'[{"PasswordID":13,"Title":"ssh","Domain":"","HostName":"testhost","UserName":"root","Description":"","GenericField1":"","GenericField2":"","GenericField3":"","GenericField4":"","GenericField5":"","GenericField6":"","GenericField7":"","GenericField8":"","GenericField9":"","GenericField10":"","AccountTypeID":0,"Notes":"","URL":"","Password":"XXXXXX","ExpiryDate":"","AllowExport":true,"AccountType":""}]'

Link to comment
Share on other sites

Hello,

 

There must be something else causing this now, as I cannot replicate this issue - I'm using the format below, and this seems to be working for me:

 

Invoke-Restmethod -Method GET -Uri 'https://passwordstatetest.domain.com/api/searchpasswords/183?username=root' -Header @{ "APIKey" = "b2a57c34fe96d8f36a89c25eb47d4b6c" }

 

The previous issue that I was able to reproduce was caused by not having a System Wide API Key specified on the screen Administration -> System Settings -> API tab. I don't think it will help, but can you try creating one, then restart IIS, and see if that makes any difference?

Regards

Click Studios

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...